EAP-TLS works but not PEAP/EAP-TLS
Hi, I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Is there anything I'm missing? The problem appears to be that the client doesn't send over the client cert. I know Windows is very fussy with what it accepts as a cert for EAP-TLS, but I'm confused as to why it works for one and not the other. Mon Sep 16 12:56:55 2013 : Info: [tls] Length Included Mon Sep 16 12:56:55 2013 : Info: [tls] eaptls_verify returned 11 Mon Sep 16 12:56:55 2013 : Info: [tls] (other): before/accept initialization Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: before/accept initialization Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 005a], ClientHello Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 read client hello A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 0031], ServerHello Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write server hello A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 053e], Certificate Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write certificate A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 000d], CertificateRequest Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write certificate request A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 flush data Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A Mon Sep 16 12:56:55 2013 : Debug: In SSL Handshake Phase ... Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! EAP session for state 0x7c569f3d755a860c did not finish! Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Mon Sep 16 12:57:00 2013 : Info: Ready to process requests. radius.log: http://pastebin.com/9fBdxfYt eap.conf: http://pastebin.com/7dL69pmQ inner-tunnel: http://pastebin.com/BGzJSKz0 Thanks, John. -- John Carter Identity Networks jcar...@identitynetworks.com skype:jcartermeru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS works but not PEAP/EAP-TLS
On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote: I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Hi. make fragment_size in modules/inner-eap smaller then fragment_size in eap.conf I've got 1200 in inner-eap and 1400 in eap.conf cheers mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS works but not PEAP/EAP-TLS
Thanks Martin, I had already changed this in the config, but it lead me to the real issue which was that I'd added a eap inner-eap section to my eap.conf, but I also had a modules/inner-eap file from the default config. When I removed modules/inner-eap file it all works fine. Thanks again, John. On 17 September 2013 08:46, Martin Kraus lists...@wujiman.net wrote: On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote: I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Hi. make fragment_size in modules/inner-eap smaller then fragment_size in eap.conf I've got 1200 in inner-eap and 1400 in eap.conf cheers mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- John Carter Identity Networks jcar...@identitynetworks.com skype:jcartermeru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 2.2.1 has been released.
After a long wait, we have released the 2.2.1 version of FreeRADIUS.
The focus of this release is stability. Minor features may be added,
but the goal is to increase system stability at the cost of missing
features.
People interested in major new features should look at the v3 release
branch. Our focus now is fixing the last few issues in v3, before
making a new release.
Once v3 has been released, there will be no further new development on
Version 2. Bug fixes and security issues will be addressed for three
(3) years after v3 has been released.
The change log for v2.2.1 is as follows:
Alan DeKok
FreeRADIUS Project Leader
-
Feature improvements
* Updated dictionaries for alcatel, broadsoft, bskyb, dlink, meru,
telkom, trapeze, proxim, zeus, rfc6677, 6911, and rfc6930.
* Added %{randstr:..} support. Creates random strings in a
controllable format.
* Added operator support to rlm_python
* Added %{hex:...} for hex version of raw attribute data
* Added %{sha1:...} for SHA1 hashing of data
* Added %{base64:...} for raw attribute data (e.g. 32-bit IP addr),
and %{tobase64:...} for the printable string form (e.g. 1.2.3.4),
and %{base64tohex:...} to convert a base64 string to a hex string.
* rlm_expr is now responsible for registering many of the xlat
expansions. This is cleaner than bundling them all in the server
core. You should ensure 'expr' is listed in instantiate to ensure
correct operation of xlat expansions.
* Use correct terminology when printing errors regarding request/
response/message authenticators.
* Added keytab support to Heimdal Kerberos. Patch from Ryan Steinmetz.
* radsqlrelay does multiple INSERTs in one transaction.
Patch from Uwe Meyer-Gruhl.
* Run Post-Proxy-Type Reject {} if the upstream server rejected the
request.
* On startup, the server checks if it was linked with the correct
OpenSSL libraries. If not, it errors out. This prevents later
crashes in OpenSSL, due to library incompatibilities.
* Added radmin command hup main.log, to re-open the log files,
without HUPing any other part of the server.
* Added support for EAP-Key-Name. See raddb/sites-available/default,
and look for comments mentioning EAP-Key-Name. MacSec now works.
* Added support for hex numbers (0x...) to %{expr: ...}
* Backported TLS client certificate validation from 3.0.0.
* Run Post-Auth for EAP inner-tunnel methods.
* Added more RFCs
* Added show config path to radmin. You can now examine any
configuration item in a running server.
* Added TLS-Client-Cert-X509v3-Extended-Key-Usage for TLS-based EAP
methods. It is set automatically from the fields in the certificate.
* Add CRLCP attribute in certificate creation script. Windows phones
require it. Patch from Alan Buxey.
Bug fixes
* Skip OCSP if there's no host / port / url, with soft_fail
* Properly decode AT_IDENTITY in EAP-SIM. Patch from Iliya Peregoudov
* Thread max_queue_size has better bounds checking.
* Use correct variable for warning message if the user misconfigures
the server.
* radtest is more generous about parsing ppphint
* radeapclient now accepts -4 and -6, just like radclient.
Patch from John Dennis.
* Ignore .rpmnew and a bunch of other files when loading config
files from a directory.
* Wait for child threads before exiting. This prevents errors on
exit, but may increase exit time if databases are blocked!
Patch from Iliya Peregoudov.
* Wrap rbtree calls in mutexes in rlm_cache to prevent memory
corruption. Patch from Phil Mayers.
* Port fix for %{3GPP-*} expansion from master branch.
* Fix sample certificate scripts when multiple client certs are
made
* Track return code priorities across if/else/elsif in unlang.
Closes #107
* In debug mode, print out DHCP options when sending a DHCP packet.
* Fixes to the redis modules from Brian Candler
* Print better debug message for LDAP operations error
* Fix a number of minor issues as found by Coverity
* Frees module config in order to prevent occasional crash on exit
* Update DHCP debugging messages to make it clearer what's
going on.
* Print multiple DHCP options the correct number of times in
debugging mode
* On debug builds, don't dlclose() modules when '-m' is used.
This allows valgrind to show module symbols.
* Don't count Status-Server packets in Access-Request statistics
* Minor cleanups to debug output
* Be more careful handling module configurations to avoid crash
on otherwise clean exit.
* For raddebug, correctly set the group of the output file.
* renamed dhclient to dhcpclient. People who install it
shouldn't have their systems broken.
* for EAP-TLS methods, random_file is no longer required.
OpenSSL already reads /dev/urandom.
* Fix Suse and Redhat scripts. Patches from Fajar Nugraha.
* Minor bug fix for base64 decoding.
* Allow two consecutive WiMAX TLVs of the same number.
* Remove requirement that User-Name has to match MS-CHAP-User-Name.
I18n issues means that the character sets could be
Re: reconnecting to mysql
On 17 Sep 2013, at 18:22, Edgars Makņa edg...@dtg.lv wrote: Hello, I just setup 2.2.0 from freebsd ports. In the testing environment it looks okey except this error: rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 It appears on every second authorization attempt. Ping to mysql server runs fine, another db's works without any clue. Google didnt give me any answers about this problem. Looks like MySQL (or something else) is closing the connection after one query? Why don't you trace it and find out. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 + MySQL + Accouting
On 17 Sep 2013, at 18:41, Wederson Rodrigues weder...@vipvilhena.com.br wrote: Regards, I have a server configured with freeradius2 rlm_mysql and have authentication working well. But the Accouting is only done on start and stop. Wanted it to be done every 5 minutes (300 interim-update) but is not working. I'm guessing your not expecting radtest to carry on running in the background and generate accounting traffic right? and you're just using it for testing? This functionality is highly NAS dependent, not all NAS support it as it's not required behaviour by any of the RADIUS rfcs. Consult the manuals for your NAS to check it is supported, and if that fails contact their support team and raise a feature request. I'm not sure which you're returning Acct-Status-Type in an Access-Accept, or Calling-Station-ID it is not correct/appropriate to insert them into the reply. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius2 + MySQL + Accouting
Regards, I have a server configured with freeradius2 rlm_mysql and have authentication working well. But the Accouting is only done on start and stop. Wanted it to be done every 5 minutes (300 interim-update) but is not working. Radtest result: Sending Access-Request of id 250 to 127.0.0.1 port 1812 User-Name = cebolark2 User-Password = x NAS-IP-Address = xxx NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id = 250, length = 59 Acct-Status-Type = Interim-Update Acct-Interim-Interval = 300 Calling-Station-Id = C89CDC4B8CA9 Filter-Id = m2048 Framed-IP-Address = yyy.yyy.yyy.yyy But the table radcct not updated, only start and stop. -- []'s - .'. Wederson Rodrigues .'. (CeBoLaRk) VIP - Vilhena Internet Provider Gerente de T.I. http://www.vipvilhena.com.br MSN: cebol...@hotmail.com SKYPE: cebolark EMAIL: weder...@vipvilhena.com.br INOC VOIP: 28240*100 Celular: 0xx69 8437-0186 Fixo: 0xx69 3322-2244 - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 + MySQL + Accouting
On 17 Sep 2013, at 19:02, Wederson Rodrigues weder...@vipvilhena.com.br wrote: I used radtest just to show the attributes that are returning. I'm using a debian (ppp) as NAS, with the enabled plugins: plugin rp-radius.so pppoe.so radattr.so Even better, RTFS. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reconnecting to mysql
Hello,
I just setup 2.2.0 from freebsd ports. In the testing environment it looks okey
except this error:
rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
It appears on every second authorization attempt. Ping to mysql server runs
fine, another db's works without any clue.
Google didnt give me any answers about this problem.
rad_recv: Access-Request packet from host 127.0.0.1 port 27983, id=47,
length=50
User-Name = 2-40
User-Password = PjTKX2Ln
Framed-Protocol = PPP
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = 2-40, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} - 2-40
[sql] sql_set_user escaped user -- '2-40'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribu
rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribu
[sql] expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergrou
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck
WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, grou
[sql] User found in group Plaza20
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply
WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, grou
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password PjTKX2Ln
[pap] Using CRYPT password PCA82A.D836/k
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [2-40/PjTKX2Ln] (from client localhost port 0)
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[sql] expand: %{User-Name} - 2-40
[sql] sql_set_user escaped user -- '2-40'
[sql] expand: %{User-Password} - PjTKX2Ln
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES
( '%{User-Name}',
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 47 to 127.0.0.1 port 27983
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 47 with timestamp +51
Ready to process requests.
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
